Auditting i Phone and i Pad applications Ilja

Auditting i. Phone and i. Pad applications Ilja van Sprundel

Who am I? • Ilja van Sprundel • IOActive • netric • blogs. 23. nu/ilja

• • What this talk is[n’t] about is: • • • common security issues seen in 3 rd party i. OS applications possible fix or mitigation of them document how to exploit them in some cases isn’t: • bugs in i. OS itself • to some extend it does cover some api shortcomings

Introduction • • • Mobile app market exploded over the last 2 years lots of demand for security reviews of i. Phone and i. Pad apps over the last year or so Very little has been published I’ve done a number of them in the last 10 months notes of what I’ve learned so far

Application environment • native applications • i. OS, port of Mac. OSX to arm cpu • obj-c (strict c superset) • obj-c classes take care of most low level handling (memory allocations, . . )

Transport security • fair amount of i. OS apps need to do secure transactions • online banking, online trading, . . . • They will use SSL • use of https: // urls passed to NSURLRequest / NSURLConnection • api uses a set of default ciphers:

Transport security

Transport security • TLS_RSA_WITH_DES_CBC_SHA • TLS_RSA_EXPORT_WITH_RC 40_MD 5 • TLS_RSA_EXPORT_WITH_DES 40_CBC_ SHA • TLS_DHE_RSA_WITH_DES_CBC_SHA • TLS_DHE_RSA_EXPORT_WITH_DES 40_ CBC_SHA

Transport security • on by default • no (documented) way to turn it off • this is (kinda) documented: from apple’s Secure Coding Guide (2010 -02 -12), page 29

Transport security • SSL api’s on i. OS aren’t granular enough • developer should be able to set ciphersuites • can’t fix it, but you can mitigate it • include an ssl library and use that one (e. g. Cya. SSL and Matrix. SSL are build for embedded use)

Transport security • documentation said secure trasport programming not available, use CFNetwork • CFNetwork doesn’t allow setting ciphersuites (AFAIK) • it does have api’s for some other things: • • allow expired certs allow expired roots allow any root don’t validate certificate chain

Transport security NSMutable. Dictionary *settings = [[NSMutable. Dictionary alloc] init]; [settings set. Object: [NSNumber number. With. Bool: YES] for. Key: (NSString *)k. CFStream. SSLAllows. Expired. Certificates]; [settings set. Object: [NSNumber number. With. Bool: YES] for. Key: (NSString *)k. CFStream. SSLAllows. Expired. Roots]; [settings set. Object: [NSNumber number. With. Bool: YES] for. Key: (NSString *)k. CFStream. SSLAllows. Any. Root]; [settings set. Object: [NSNumber number. With. Bool: NO] for. Key: (NSString *)k. CFStream. SSLValidates. Certificate. Chain]; CFRead. Stream. S et. Property((CFRead. Stream. Ref)input. Stream, k. CFStream. Property. SSLSettings, (CFDictionary. Ref)settings); CFWrite. Stream. Set. Property((CFWr ite. Stream. Ref)output. Stream, k. CFStream. Property. SSLSettings, (CFDictionary. Ref)settings);

Transport security • Luckily none of that is on by default! • takes quite some work to screw this up for a developer • however it’s not unthinkable: “wait, we shipped that debug code ? ? ? ”

url handler’s / IPC • By design i. Phone does not allow sharing between applications • application developers sometimes need to share anyway • developers (initially)found a way around this • This now appears to be supported by apple (according to developer. apple. com)

url handler’s / IPC • Application can register a url handler • other application would call url, with data • rather simple IPC mechanism • http: //mobileorchard. com/appleapproved-iphone-inter-processcommunication/

url handler’s / IPC • info. plist file: • code looks like: - (BOOL)application: (UIApplication *)application handle. Open. URL: (NSURL *)url { [view. Controller handle. URL: url]; return YES; }

url handler’s / IPC • any webpage can call that link too • any webpage can now also do IPC with the application • this IPC mechanism clearly had unintended consequences

url handler’s / IPC • so the browser can call the url handlers too • wouldn’t it be neat if we could get it done without tricking a user into visiting a webpage from their mobile safari ?

url handler’s / IPC • i. OS 3 (and beyond) has this neat wifi hotspot feature • if it connects to a wifi network, and detects redirection, it assumes it’s a wifi hotspot • pops up mobile safari, and goes to the redirected page • see http: //support. apple. com/kb/HT 3867

url handler’s / IPC • looks like this:

url handler’s / IPC • Attack is quite simple • you must be on the same lan • knock i. OS device off the network • when it rejoins, forge the redirect to your webpage

url handler’s / IPC • on by default • you can turn it off (on i. OS 4)

url handler’s / IPC • Starting from i. OS 4. 2 there is newer api that should be used • application: open. URL: source. Application: annotation • from the documentation:

url handler’s / IPC • Open. URL is a much more elegant api for IPC • shows you who’s calling (so you can reject the browser for example) • allows passing of object instead of serializing over url arguments

UIWeb. View • can be used to build gui (mostly in weblike environments) • basically renders html (can do javascript!) • a browser window more or less

UIWeb. View • Vulnerable to attack (if used as a gui) • if attacker can inject unescaped data • will lead to Cross site scripting

UIWeb. View • • by default there is no bridge from UIWeb. View’s javascript to actual obj-c most i. OS apps developers that use UIWeb. View (for gui’s) would like there to be one url handler, only valid for that specific UIWeb. View should. Start. Loading. With. Request: method

UIWeb. View • that url handler can do anything you want it to do • most UIWeb. View’s url handler are used to handle some internals, arguments are considered trusted! • even worse, a lot of them serialize/unserialize a methodname and parameters !

UIWeb. View

UIWeb. View • if used simply as a browser • can do a lot more than render html and interact with a webapplications • can parse and render a large number of file formats (and will not prompt user first!)

UIWeb. View • • • Excel (xls) keynote (. key. zip) (and also zip files) numbers (. numbers. zip) Pages (. pages. zip) pdf (. pdf) powerpoint (. ppt) word (. doc) rtf (. rtf) / rtf dictionary (. rtfd. zip) keynote ’ 09 (. key) numbers ’ 09 (. numbers) pages ’ 09 (. pages)

UIWeb. View • • • Very long list enormously difficult file formats to parse once parsed it gets rendered • • as html in the current DOM apple api’s, but they are in proc ! on by default no way to turn this off

UIWeb. View • does a number of other things: • e. g. try to detect phone numbers and turns them into tell: // url’s • you can turn this off • set detect. Phone. Numbers property to NO

UIWeb. View • mitigation: render out of proc • give url to safari instead of rendering in UIWeb. View • attack surface reduction • if a bug gets exploited now, your application is no longer affected.

UIImage • Wide attack surface very similar to UIWeb. View’s • UIImage is a general image class • can handle a _LOT_ of image file formats

UIImage • • tiff jpeg png bmp ico cur xbm gif

UIImage • not to mention some extensions that work with various image file formats: • exif • ICC profiles

UIImage • Huge attack surface • there is no property to specify which one you want and which you don’t want

UIImage • 2 possible workaround • UIImage allows using CGImage. Ref • use more low-level Core Graphics library to specifically load jpg or png • then feed the CGImage. Ref to UIImage

UIImage • • • or you could just look at the first couple of bytes of the image file each graphics format is trivial to detect based on some magic bytes in the begining for example: • • png signature: 137 80 78 71 13 10 26 10 (decimal) jpg signature: 4 A 46 49 46 GIF signature: 47 49 46 38 39 61 or 47 49 46 38 37 61 BMP: first 2 bytes: “BM”

header / xml injection • not i. OS specific, however rampant in mobile apps • mostly with regards to interacting with webservices • dev’s implement their own http handing stuff • forget things like escaping r, n, “, . . .

header / xml injection • Consider the following example: - (NSData *)HTTPHdr. Data { NSMutable. String *metadata. String = [NSMutable. String string]; [metadata. String append. String: @"Content-Disposition: form-data"]; if (self. name) [metadata. String append. Format: @"; name="%@"", self. name]; if (self. file. Name) [metadata. String append. Format: @"; filename="%@"", self. file. Name]; [metadata. String append. String: @"rn"]; if (self. content. Type) [metadata. String append. Format: @"Content-Type: %@rn", self. content. Type]; … return result; }

header / xml injection • • i. OS has some decent api’s for this NSMutable. URLRequest • • add. Value: for. HTTPHeader. Field set. Value: for. HTTPHeader. Field not vulnerable to injection although they do fail silently if injection is detected

Format string bugs • • i. Phone apps use obj-c which is native code however, if you stick to the obj-c syntax and the classes provided, chances of overflows and the like are small (the provided classes can do almost anything you want) provided classes also have format based functions

Format string bugs • these formatstring functions can also lead to formatstring bugs • seems most i. OS apps are riddled with it • most i. OS apps developers don’t seem to know this is a problem

Format string bugs • vulnerable obj-c methods • • NSLog() [NSString string. With. Format: ] [NSString init. With. Format: ] [NSMutable. String append. Format: ] [NSAlert informative. Text. With. Format: ] [NSPredicate predicate. With. Format: ] [NSException format: ] NSRun. Alert. Panel

Format string bugs • • obj-c is a superset of c so all c fmt functions could also be abused in i. OS apps: • • printf snprintf fprintf. . .

Exploiting bugs

binary protocol handling • • said before • • obj-c superset of c stick to NS* objects, mostly safe binary protocol handling is sort of the exception no good obj-c classes for that developers have to fall back to old c-style binary protocol parsing.

Directory traversal • i. OS has similar file api’s as Mac. OSX • same types of desktop/server os file issues • NSFile. Manager

Directory traversal • classic dir traversal: NSString *file = [[NSString alloc] init. With. Format: @"%@/%@", NSTemporary. Directory(), attacker. Controlled. String]; NSFile. Manager *m = [NSFile. Manager default. Manager]; [m create. File. At. Path: text contents: nsd attributes: nil]; • . . / will work.

• Directory traversal Poison NULL byte NSString *file = [[NSString alloc] init. With. Format: @"%@/%@. ext", NSTemporary. Directory(), attacker. Controlled. String]; NSFile. Manager *m = [NSFile. Manager default. Manager]; [m create. File. At. Path: text contents: nsd attributes: nil]; • • . . /blah This works, because NSStrings don’t use 0 bytes to terminate a string, but the i. OS kernel does.

NSXMLParser • NSXMLParser is the class used to parse xml files • it handles DTD’s by default • billion laughs • no way to turn it off • doesn’t resolve external entities by default • can be turned on

NSXMLParser • There’s kindof a hairy workaround. • 6 callbacks can be defined, that will be called if a DTD is encountered. • • • found. Element. Declaration. With. Name found. Attribute. Declaration. With. Name found. Internal. Entity. Declaration. With. Name found. External. Entity. Declaration. With. Name found. Notation. Declaration. With. Name found. Unparsed. Entity. Declaration. With. Name

NSXMLParser - (void) parser: (NSXMLParser*)parser found. External. Entity. Declaration. With. Name: (NSString*)entity. Name { [self abort: @"DTD"]; } - (void) parser: (NSXMLParser*)parser found. Attribute. Declaration. With. Name: (NSString*)attribute. Name. . . { [self abort: @"DTD"]; } - (void) parser: (NSXMLParser*)parser found. Element. Declaration. With. Name: (NSString*)element. Name model: (NSString*)model { [self abort: @"DTD"]; } (void) parser: (NSXMLParser*)parser found. Internal. Entity. Declaration. With. Name: (NSString*)name value: (NSString*)value { [self abort: @"DTD"]; } - (void) parser: (NSXMLParser*)parser found. Unparsed. Entity. Declaration. With. Name: (NSString*)name. . . { [self abort: @"DTD"]; } - (void) parser: (NSXMLParser*)parser found. Notation. Declaration. With. Name: (NSString*)name public. ID: (NSString*)public. ID. . . { [self abort: @"DTD"]; }

NSXMLParser • This works, but it’s hairy and error prone • it would be nice if NSXMLParser had a parse. DTD attribute

Questions ?